Skip to main contentSkip to main content
The Red Raffle banner icon.

The Jr Pentester Path just got rebuilt. Complete rooms, earn tickets, and win a free PT1 cert.

Feature
BLOG • 4 min read

Jr Penetration Tester Learning Path Rebuilt for 2026

The path that introduced millions of learners to offensive security has evolved. Here's everything that's new, what's changed, and why now is the best time to start.

Most people don't fail at becoming a penetration tester because they lack interest. They fail because the learning journey is unclear, fragmented, or too theoretical. You can spend hours watching videos, reading writeups, and collecting certifications and still walk into an interview unsure whether you can actually do the job.

That's the problem the Jr Penetration Tester learning path was built to solve. And today, we're launching the most significant update it's ever had.

Why We Rebuilt It

The Jr Penetration Tester path has been one of TryHackMe's most completed learning paths since it launched. For a lot of people, it was their first real introduction to offensive security - the thing that turned curiosity into a career direction.

But the offensive security landscape has changed significantly since it was first built. The tools, techniques, and attack surfaces that junior pentesters are expected to know in 2026 look different to what they looked like when the path was first built. Active Directory has become an even more critical area of focus. Web stacks have evolved. The industry's expectations around end-to-end methodology and reporting have sharpened.

This isn't a rebrand. It's a ground-up rework of the most important sections, with new rooms, updated content, and a structure designed to take you from foundational knowledge to genuinely job-ready. So we evolved the path to match. We've expanded the areas that needed more depth, modernised the content to reflect how offensive security is practised today, and added new rooms and challenges that bring the full picture together.

What's New

A Dedicated Active Directory Module

Active Directory is one of the most important attack surfaces in enterprise environments, and one of the most commonly tested areas in junior pentester interviews. The old path had a single introductory room. The revamped path has a full 9-room module:

  • Active Directory Basics
  • Intro to Authentication
  • Intro to AD Breaching (new)
  • Basic Enumeration
  • Authenticated Enumeration (new)
  • Intro to Credential Harvesting (new)
  • Intro to Lateral Movement (new)
  • Active Directory Challenge 1 (new)

This module builds the foundational AD attack skills that real junior pentesting roles expect, Kerberos, NTLM relay, lateral movement, credential harvesting from LSASS and SAM.

Complete Web Security Revamp

Every room in the Web Security module has been rewritten end-to-end, with a brand-new CSRF Introduction room added to complete OWASP Top 10 (2025) coverage. The module now covers SQL Injection, XSS, CSRF, SSRF, IDOR, Broken Authentication, Directory Traversal, Command Injection, and API Testing, all with live, vulnerable targets you attack directly in-browser.

Three New Capstone Challenges

The path now ends with three full kill-chain capstone challenges that test everything you've built across all prior modules. These aren't theory questions - they're hands-on scenarios designed to mirror what real junior pentester interviews and assessments look like, and they serve as the canonical preparation for the Jr Penetration Tester certification (PT1).

A Modernised Introduction

Two new beginner-focused rooms have been added at the very start of the path, including guided end-to-end pentests for both web and network targets. These are designed to give you a feel for what pentesting actually looks like before you dive into the technical depth so you know where you're headed from day one.

The Full Picture: 89 Rooms Across 17 Modules

Here's how the revamped path is structured from start to finish:

The path takes approximately 70-90 hours of hands-on lab time from start to finish. Every single room is paired with a live, vulnerable machine you attack directly in-browser.

Built in Lockstep With the Jr Pentester Certification

The revamped path isn't just content for its own sake it's the canonical study route for TryHackMe's Jr Penetration Tester certification (PT1). Every module, every capstone challenge, and every skill area has been designed in lockstep with what the certification tests.

Finish the path. Sit the cert. Walk into interviews with the skills and vocabulary employers actually ask about.

The clear progression is: learn → practice → validate → get hired.

Who This Is For

The Jr Penetration Tester path is built for:

Aspiring pentesters and offensive security practitioners who have completed foundational cyber content and want a structured, hands-on route into a junior pentesting role. Whether you're self-taught, switching careers, or studying cyber security formally, this path is designed to bridge the gap between foundational knowledge and your first offensive security job.

SOC analysts, IT professionals, and blue teamers who want to develop offensive skills to better understand attacker techniques and potentially transition into red team or pentesting roles.

You'll need basic Linux command line, networking fundamentals, and a willingness to read documentation. Everything else is built into the path.

What You'll Be Able to Do

By the time you complete the path, you'll be able to:

  • Run an end-to-end penetration test from scoping and reconnaissance through to privilege escalation, post-exploitation, and a professional written report
  • Test web applications across the full OWASP Top 10 (2025), using Burp Suite and purpose-built exploitation skills
  • Enumerate and attack Active Directory environments  authentication abuse, lateral movement, credential harvesting, and domain exploitation
  • Escalate privileges on both Linux and Windows targets using systematic, professional techniques
  • Use Metasploit and the wider exploitation toolkit fluently, including payload generation and post-exploitation
  • Research, identify, and communicate vulnerabilities in the way that employers and clients expect
  • Walk into a junior pentester interview with the practical skills and vocabulary to hold your own

Start Now

The Jr Penetration Tester path is live today. 89 rooms. 17 modules. A clear route to your first offensive security role.

Already completed the original path? The revamped version has significant new content particularly the AD module, the web security overhaul, and the capstone challenges. It's worth coming back for.

authorCarah Els
May 21, 2026

Recommended

Get more insights, news, and assorted awesomeness around cyber training.

how-to-start-a-cyber-security-career-in-the-uk-platforms-certs-and-starting-pointsBlog • 4 min read

How to Start a Cyber Security Career in the UK: Platforms, Certs and Starting Points

The UK cyber security job market in 2026 is one of the best places in the world to start a technical career. Demand jumped 20% in the final quarter of 2025 alone.

how-to-learn-vulnerability-assessment-a-hands-on-guide-for-beginnersBlog • 5 min read

How to Learn Vulnerability Assessment: A Hands-On Guide for Beginners

Vulnerability assessment is how organisations find out what they are exposed to before attackers do. It is also one of the most in-demand entry-level skills in offensive and defensive security alike. And it is something you can start learning today with free tools and a clear methodology.

how-to-learn-network-security-monitoring-with-hands-on-labsBlog • 6 min read

How to Learn Network Security Monitoring With Hands-On Labs

Network traffic does not lie. Every connection, every DNS query, every lateral movement attempt leaves a trace. Network Security Monitoring is the practice of collecting, analysing, and acting on that data to detect threats before they become breaches.

Join over 640 organisations upskilling their
workforce with TryHackMe

TryHackMe for Business

We use cookies to ensure you get the best user experience. For more information see our cookie policy.